where can i get that snort rules snapshot?

@@phantomtq same can't found it

Based on the line number, I'm guessing you have not fully commented out (that is, disabled) the reputation preprocessor. You need to put a # character in the first position of every line in the preprocessor configuration in snort.conf. You should also verify that there is a \ character at the end of each of the first 5 lines in the reputation preprocessor configuration (not after the last line).

@@SteveGantz I made that changes and it seems to be working. Thanks for your help.

Once you are in c:\Snort\bin, the command is just "snort -W"

chek your home net variable

i have the same error, i think is the firewall bc i try everything(rules, interfaces etc. and nothing)

@@jonathangarciacastro1638 Please let me know if you find the steps to fix this problem. Haven't found solution yet and I have no clue which firewall settings or rules I have to set.

@@VasquezXD sure bro, do you speak spanish? English is not my first language, that's why i can't explain me better

@@jonathangarciacastro1638 I do not, but you can explain in Spanish and I can use google translate or get someone to help me translate it.

@@VasquezXD hey, i didnt find the problem with the alerts, so i tried another way.Install snort in the firewall Pfsense and now it works perfectly for me

The first startup command I use in the video is: snort -i 4 -c c:\Snort\etc\snort.conf -T The -T at the end tells Snort to just test the configuration defined in snort.conf and then exit. As I note in the video, while interface #4 is correct for my system (the computer I was using to record the video) it is entirely likely that the right interface number for you may be different, so you may need to substitute the "4" in my startup with whatever interface number is accurate for your computer. After the test configuration succeeds, the second startup command I use is: snort -i 4 -c c:\Snort\etc\snort.conf -A console The "-A console" part directs any alert output to the screen so we can see the test rules generating alert as they happen.

Did you solve it?

For your IP address range, go to the ipvar statement for HOME_NET in Step #1 of snort.conf and use the value 172.18.1.0/24. For your startup command, the number after the -i has to be the number of the network interface active on YOUR computer. In the video I'm using interface #4 but on your computer it is likely to be 1, 2, or 3. You can check the available interfaces by running "snort -W" from c:\Snort\bin and Snort will return an ordered list of the interfaces it can "see". Use the number of the interface you want from that list and try the startup command again.

+Giorgio Mariotti Despite the line numbers in the errors it can be hard to pinpoint problems in snort.conf without knowing more about how you modified that file. The only place in the entire config file where the word "cancel" appears is in the Session Initiation Protocol preprocessor (on or near line 453). If by chance you disabled that preprocessor, can you check to make sure you commented out all the lines in the preprocessor configuration?

+Steve Gantz Can I send you my snort.conf file by e-mail?

In recent versions of snort.conf, line 326 is at the end of the http_inspect preprocessor or at the beginning of the ONC-RPC preprocessor declaration. Look at your snort.conf file and see if there are any lines commented out that may have a left brace character "{" in it without a corresponding right brace "}"

I find and count verry low, have 61 "{" and 61 "}", you can help me check my file snort.conf. www.mediafire.com/file/wamu32v76hbt27z/my+file+snort.rar

Hi Hoa, I have seen this when trying to use Snort-2983 rule-source (latest) with Snort-2982 engine. If you want to get it working, please try the below: - remove "lzma" from the "preprocessor http_inspect_server .." line. - try using the Snort-2983 engine as well. Hope this helps. Gagan

Thanks Gagandeep, i delete line 326,325 and character "/" of line 324. It work!

work here, thanks!!!

same :(

Note: I am using Snort 2.9.11.1, I have all the rules from the registered user section and the current rules in local.rules that I have are alert icmp any any -> any any (msg:"Test test HelloWorld"; sid:1000001;) alert tcp any any -> any any (msg:"test test see me"; sid:1000002;)

If Snort starts up correctly but you see no output on screen then you either don't have any alert rules enabled or (assuming you do have the rules loaded as specified in snort.conf) you may have Snort listening on the wrong interface. Try running Snort with -i 2 or other alternative interface numbers.

Jorge Macamula Check your path carefully in snort.conf. It looks like you are missing a backslash between the c: and Snort. The path should be c:\Snort\lib\snort_dynamicengine\sf_engine.dll

I am also getting it in version 2.9.8.3 : Failed to find InitializePreprocessor() function in C:\Snort\lib\snort_dynamicengine\sf_engine.dll: 127

tengo el mismo error que tu, pudiste resolverlo?

@@jonathangarciacastro1638 no

MIC CAMP Many of the default settings in snort.conf are based on UNIX/Linux systems. The Snort dynamic engine setting at line 250 needs to be changed to reflect a Windows environment. Typically on Windows that line should read: dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll

The first thing to check is that your TCP and ICMP testing rules have the correct syntax, particularly with respect to the msg: option so that when a TCP or ICMP rule is triggered there will be an alert message displayed. If you are seeing UDP alerts then you can be sure you are listening on an active network interface and that Snort is "seeing" sniffed traffic, so rule syntax is the next place to look. You can also try adding "-K none" to your startup command to disable checksum validation on packets, which sometimes causes issues on Windows, especially with TCP rules.

Nevermind. Got ride of console at end and is now okay. Forgot console was just for alerts

For the application error, install npcap

Hala Fadl-allah Check the rule in line 21 of local.rules and make sure the text you put after the msg: option keyword is enclosed in quotation marks.

All the rules in the Community ruleset are in a single file, called "community.rules". There is also a copy of snort.conf and sid-msg.map in the archive, but that's all. The registered and subscriber releases have more rules files, plus preprocessor rules and other files typically found in the /etc folder when you install Snort.

Change the -> direction indicator in your rule to if you want to cover both directions in one rule.

ctrl + f find and replace

The rule you are referencing (at line 33 of app-detect.rules) is enabled by default so the error is a bit strange. Have you confirmed that the ruleset you are running matches the version of Snort you have installed? There are a few different rulesets available from snort.org but if you are running the latest 2.9.9.0 version of Snort you need to have the ruleset that has the same version number.

To use the community rules, you need to copy the community.rules file from the zip archive you downloaded from snort.org into c:\Snort ules. Then add a new line in step #7 of snort.conf that reads: include $RULE_PATH\community.rules The other include statements need to be commented out (like the ones in step #9).

I have done all these things. I commented out in step 7 like in step 9 and the include statement ( include $RULE_PATH\community-rules In c:\Snort ules the community rules has to be a RULES file or only a file (type) ?

+knucker Snort rules files are just ascii text. The file name in snort.conf just has to exactly match the file name (including extension) as stored on the hard drive. The actual rules file needs to be extracted from the zip and saved in c:\Snort ules. It is names community.rules.

I don't have the name you said with a point but I have a folder called community-rules when i extract with 7-zip and save in c:\Snort ules

The community rules package you download from Snort contains an archive (think of it as a folder) called community-rules. Inside that archive are five files, including the actual rules file names community.rules (the other files are AUTHORS, LICENSE, sid-msg.map, and VRT-License.txt). The community.rules file is what you want in your c:\Snort ules directory.

The "commencing packet processing" message means that Snort has started and is running. If you don't see anything after that on screen, you first need to confirm you have some rules active and loaded. Assuming that is the case, then you either need to make sure you are directing output to the screen (with "-A console" in your startup command) or, if you are already doing that, you need to verify that you have Snort listening on the correct network interface.

Did fix it ? I have same problem..

Check your RULE_PATH declaration in Step #1 of your snort.conf file. Make sure the value is just the full path to the rules directory, that is, c:\Snort ules

Yes, I checked there first. But still cant chase down the issue.

var RULE_PATH c:\Snort ules# var SO_RULE_PATH ../so_rulesvar PREPROC_RULE_PATH c:\Snort\preproc_rules# If you are using reputation preprocessor set these# Currently there is a bug with relative paths, they are relative to where snort is# not relative to snort.conf like the above variables# This is completely inconsistent with how other vars work, BUG 89986# Set the absolute path appropriatelyvar WHITE_LIST_PATH c:\Snort ulesvar BLACK_LIST_PATH c:\Snort ules

You say you "only have the black.list and white.list in the rules folder". Have you copied in files from a Snort rules package, or not yet? If you haven't, then that's the source of your error. The snort.conf file is set up by default with the assumption that either the registered or subscriber rules are in place. If they aren't, you need to edit Step #7 in snort.conf to comment out references to any rules files include statements that don't have a corresponding file in c:\Snort ules.

Yes I completed that part as well. I even tried commenting them all out just to do the test run.

Anastasia That dpends on your computer and the features it has. Common interfaces include a wireless card, Ethernet card, and Bluetooth.

@WycliffeMunene-z3n There is a built in command you can run: "snort -W" with an uppercase W that will return active interfaces. it worked more reliably with winPcap than it does with npcap. If you have Wireshark, you can also use that - the interface list on the capture startup screen in Wireshark will show the available interfaces in the same order that Snort uses since both programs use the same packet capture utility.

You can add "-k ascii" to your startup command and Snort will write logs in plain text so you can read them in Notepad or another text editor.

Sinbad the Prince You are telling Snort to run on interface zero, which doesn't exist on Windows. Try -i 1 or -i 2 instead.

then it tells me "Invalid device number:" When i put "-W" command, result was nothing. Just dashes.

Sinbad the Prince Did you restart your machine after installing WinPcap? If the NPF driver isn't running then Snort can't "see" any interfaces.

So I removed win10pcap(I'm using win 10), instaled winpcap and now I have intefaces listed but now I have next message: \Snort\etc\snort.conf(0) Failed to parse the IP address: 32.0.0.0/35.0.0.0. Fatal Error, Quitting.. Msg is the same for all interfaces

I may have not started CMD as Admin. Before I wrote the last comment that is.

That message is typically associated with an alert rule from the stream preprocessor in Snort. Many preprocessor rules for Snort look for strict adherence to protocol standards like TCP, so you'll see a lot of these kinds of alerts when you use Snort.

eurhiafe The snort -W command does work on 64-bit Windows; the video was recorded on a 64-bit computer running Windows 10. I can't be sure why you aren't seeing results, especially if you have the NPF driver running. You mention you have Wireshark, so as an alternative you can open Wireshark and look at the interface list there - the order the interfaces are shown in Wireshark is the same as what should show up with snort -W so you can pick the right number to use from the list in Wireshark.

Hi Matt, I ran into a few issues myself. But once I figured out my "-i" connection which was 3; then made sure the protocols to test were recognized so as to NOT get that "bad protocol http" msg or other wise in the 'local.rules' files ; then I was good to go!

Coffee Break Yeah that was my issue as well. I had the wrong interface is all. Lol

As far as I know, there hasn't been an update to the IDMEF output plugin in several years, since version 2.8.x of Snort.

Steve Gantz so can't we get snort output in IDMEF format?

Nathaniel Guerra Did you create the whitelist and blacklist files before trying to run Snort with the reputation preprocessor enabled? The files referenced in the preprocessor configuration have to exist in the referenced location; they can be empty text files, but they have to be there.

First of all, the command is snort -W, with an uppercase W. If you run snort -W and don't get any results then Snort is not "seeing" any available interfaces on your computer. Did you install WinPcap on your computer? Snort depends on WinPcap (and the NPF driver) to be able to sniff traffic from network interfaces. Snort prompts you during installation to install WinPcap (current version is 4.1.3) but you need to complete that action yourself.

I fixed the problem , thank you so much for your help sir

The community rules are still available from the Snort.org website but the "snapshot" designation in the filename is only used for Registered and Subscriber releases. The community rules package is simply called "community-rules.tar.gz".

apparently if no adapters come up, then use -i 0...it will still validate the configuration in test mode.

installing winPCap fixed this issue.

The Snort installation routine still points Windows users to WinPcap. I haven't encountered any difficulties with Snort on Windows 10 using WinPcap 4.1.3 but there shouldn't be any downside to using win10pcap.